 |  |  |  |  |  |  |  |
OMG! Please Help!
 |
Hi!I came home one day and I found a new account on the login screen {I use XP and Internet Explorer, btw}
My Name)(My Roommate's Name)AdminestratorSomehow, someone hacked into my computer with a new admin account {I do have the default Admin account in Safe Mode, though.} So I assumed my settings MUST have been messed with. Sure enough!These are my computer's current problems:~ (Almost) NO Internet Access. Right now I'm on FastFreeProxy, desperately trying to fix my computer. For some reason I can access obscure sites that I never go to. However, the sites that I go on a daily basis load to a blank page with "Invalid syntax error" as a header.~ I can't downloading ANYTHING. I tried to download FireFox but instead I received this message-:"Your current security settings do not allow this file to be downloaded."Not only that but when I tried downloading FireFox off of LimeWire and opened .exe, I was blocked from even opening it! So I can use AIM/Limewire (which saved my life, btw.)Anyway, my HiJackThis:Logfile of HijackThis v1.99.1Scan saved at 00:47, on 07-04-19Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\csrss.exeC:\Program Files\AIM\aim.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cyborgsmoke.angelfire.com/O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
My Name)(My Roommate's Name)AdminestratorSomehow, someone hacked into my computer with a new admin account {I do have the default Admin account in Safe Mode, though.} So I assumed my settings MUST have been messed with. Sure enough!These are my computer's current problems:~ (Almost) NO Internet Access. Right now I'm on FastFreeProxy, desperately trying to fix my computer. For some reason I can access obscure sites that I never go to. However, the sites that I go on a daily basis load to a blank page with "Invalid syntax error" as a header.~ I can't downloading ANYTHING. I tried to download FireFox but instead I received this message-:"Your current security settings do not allow this file to be downloaded."Not only that but when I tried downloading FireFox off of LimeWire and opened .exe, I was blocked from even opening it! So I can use AIM/Limewire (which saved my life, btw.)Anyway, my HiJackThis:Logfile of HijackThis v1.99.1Scan saved at 00:47, on 07-04-19Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\csrss.exeC:\Program Files\AIM\aim.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cyborgsmoke.angelfire.com/O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe Last edited by X-Pac; Apr 19th, 2007 at 2:21 am.
•
•
Join Date: Jan 2007
Posts: 479
Reputation: 
Solved Threads: 21
Posting Pro in Training
You're not going to get very far w/out Admin. priveleges. if you have the original setup disc then you have options which basically is to install over the current setup. once you have Admin. control delete ALL other accounts. you'll have to reinstall some drivers and apps. but you'll have your system back. copy wpa.* from system32 to a floppy just in case they get lost somehow.
Hey, thanks for the help. I actually do have Admin controls as I am the only one with those settings. The "Adminestrator" account was deleted because it looked to me like an obvious hacked incident.If you could (and I apologize for my awful formatting skills- for some reason I can't break sentences into paragraphs), could you explain a little better? My security settings and Internet are hacked but I have to reinstall EVERYTHING? Does that mean I have to save all my files, etc.?Thank-you!
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
...for unravelling that log format you owe me a beer. Go into safe mode cos I would like you to check if you still have this file:
C:\Windows\system32\csrss.exe
[Either go Control panel > folder options OR in an explorer window > tools>folder options; then view tab, and
-press Show hidden files and folders]..
If you do have it, and I'm pretty sure you must cos not a lot would happen without it being there so DON'T touch it, then the file:
C:\Windows\csrss.exe - is an imposter. It may be tricky to get rid of, it may not. Since you have hijackthis please start it and press Open the Misc tools Section, and then Delete a file on reboot. In the window that opens paste:
C:\Windows\csrss.exe
and press Open, and Yes.
Your pc will restart.
One more thing - since you have AVG FRE, why not run its email scanner?
Anyway, please post another hijackthis log, but this time with more of an eye to the formatting...
[your post is amazing! the script flows right off my page!]
C:\Windows\system32\csrss.exe
[Either go Control panel > folder options OR in an explorer window > tools>folder options; then view tab, and
-press Show hidden files and folders]..
If you do have it, and I'm pretty sure you must cos not a lot would happen without it being there so DON'T touch it, then the file:
C:\Windows\csrss.exe - is an imposter. It may be tricky to get rid of, it may not. Since you have hijackthis please start it and press Open the Misc tools Section, and then Delete a file on reboot. In the window that opens paste:
C:\Windows\csrss.exe
and press Open, and Yes.
Your pc will restart.
One more thing - since you have AVG FRE, why not run its email scanner?
Anyway, please post another hijackthis log, but this time with more of an eye to the formatting...
[your post is amazing! the script flows right off my page!]
Last edited by gerbil; Apr 19th, 2007 at 11:13 pm.
I tried to format the text. I know it's horrific when I posted it. How DO I format my sentences? As the Enter key doesn't seem to work. =/
Last edited by X-Pac; Apr 20th, 2007 at 12:16 am.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
well, the HT log comes up in notepad. Just click format tab and uncheck wordwrap. CtrlA, CtrlC, into the postbox and CtrlV. Ought to work.
I tried to click the icons, but they don't seem to work for me. Go Proxy Server! I'll try and make my HiJackThis less-bad: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HJT\HijackThis.exe . . . . . O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
There wasn't any change to my Internet/Download Restrictions. Er. I really don't want to reformat my partition/reboot XP. I would need lottts of DVDs to store my music, programs and plug-ins. Ack!
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Check your hosts file for a start; it should look something like this unless you have added sites..... this is mine, an it's the default:-
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
_______________________________________________
..to see this go c:\windows\system32\drivers\etc. Open a notepad and drag hosts from the right pane into it. If there are entries below the localhost one that you do not recognise or did not put there, then you need to reset the hosts file.
=Please download Hoster: http://www.funkytoad.com/download/hoster.zip and extract it to your Desktop.
=Click the Restore MS Hosts Button and then click OK and exit Hoster.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
_______________________________________________
..to see this go c:\windows\system32\drivers\etc. Open a notepad and drag hosts from the right pane into it. If there are entries below the localhost one that you do not recognise or did not put there, then you need to reset the hosts file.
=Please download Hoster: http://www.funkytoad.com/download/hoster.zip and extract it to your Desktop.
=Click the Restore MS Hosts Button and then click OK and exit Hoster.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
that etc after drivers\ above is real, not me being lazy...
Check this too:
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
And if it does come to doing a windows REPAIR you won't lose your files...
Check this too:
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
And if it does come to doing a windows REPAIR you won't lose your files...
Last edited by gerbil; Apr 20th, 2007 at 3:16 am.
|
Similar Threads
- svchost.exe 100% cpu usage pissing me off :( (Windows NT / 2000 / XP)
- General Tab missing in Internet Options (Web Browsers)
- asl (Geeks' Lounge)
- Can't get samba to work! (*nix Software)
- Windows media player (Windows NT / 2000 / XP)
- Windows XP keeps restarting since a new video card (Windows NT / 2000 / XP)
- have you ever abused ur powers? (Geeks' Lounge)
- Solar Storm (Troubleshooting Dead Machines)
- I am back (for now) (Geeks' Lounge)
- SAP DB - The FREE Enterprise Open Source Database (Oracle)
Other Threads in the Windows NT / 2000 / XP Forum
- Previous Thread: Problem with Sound Device and PC Rebooting
- Next Thread: PC no do much at all
| Thread Tools | Search this Thread |
Latest Windows NT / 2000 / XP Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for Windows NT / 2000 / XP
.net 3.5 3daccelertion 64bit 2007 2010 a.exe activedirectory address android apache application appstore arm automatically black blue bluescreen boot bsod canonical chinese codeplex combofix computerfreezes cursor deployment desktop desktops dns domain downloads drive eartlink error explorer fax firefox fontmanagers fonts format framework freeze gadgets home install intel laptop latitude linux login mac markshuttleworth microsoft minimalizes monitor netbooks nvidia open opensource operatingsystems options osinstallationproblem osx outlook palm partition patch port printer program proxy raid rds reformat remotedesktop repair replacingraiddrive screen server. sharepoint simplifiedchinese sitetositevpn studios ubuntu unreadable update upgrade videodrivers virus visual volume vpn vulnerability window windows windows7 windowsxp windowsxpnotstartingup. xp
